Reduce Risk in your Software Supply Chain
Five Strategies for CISOs
A single line of code can have global repercussions within minutes. A security flaw, once exploited, can derail businesses, destabilize governments, and erode trust. This is the stark reality of software supply chain security (SSCS) – a complex domain where the rules are constantly evolving and the consequences of failure are severe.
Fortify your software ecosystem against today’s sophisticated threats by addressing first-party and third-party risk with equal rigor.
Grasping the Intricacies
At its core, SSCS focuses on establishing transparency and ensuring integrity across your entire software development lifecycle (SDLC) and supply chain. Effective SSCS requires a deep understanding of the attributes and interdependencies of proprietary and open source elements throughout the supply chain. This allows you to identify and prioritize which parts are most critical to safeguard. Code-level insight differentiates SSCS from other cybersecurity realms like third-party risk management (TPRM), which typically focuses on higher-level vendor considerations such as company size, security posture, policies, and insurance coverage.
The notorious Log4Shell vulnerability highlights the importance of this end-to-end visibility. Without a clear understanding of where Log4j resided within their software ecosystem, many organizations struggled to mitigate the risk swiftly at the time–and to this day.
Also, the business costs of such security gaps can be staggering. According to IBM’s Cost of a Data Breach report, the average cost of a data breach reached $4.45 million in 2023, and software supply chain attacks often have an even wider blast radius. Beyond the immediate financial impact, the reputational damage and loss of customer trust can be irreparable. Moreover, the time and resources diverted to incident response and remediation represent a significant opportunity cost, detracting from innovation and growth initiatives.
Managing Software Supply Chain Risk
Securing the software supply chain is not a simple, one-time checklist activity. There are several proven strategies to mitigate the risks posed by third party components in your software supply chain.
5 Strategies to Mitigate Risks
1
Generate and maintain accurate software bills of materials (SBOMs) to establish a complete inventory of your dependencies, both direct and transitive. Similar to the way an ingredients list indicates what’s in a certain food product, an SBOM provides a list of components that are included in a software package. An SBOM document provides important metadata to software composition, providing the necessary information to match against known security threats. Collecting and ingesting metadata on an ongoing basis keeps your SBOMs in sync with your evolving codebase, giving you continuous visibility.
2
Assess the health and activity level of critical open source projects before adopting them. Based on available metadata, identify the security posture and any potential problematic assets such as unmaintained code or code with many other vulnerabilities. If the code is determined to be too risky, don’t use it. Tools with advanced analytics provide insights into the maintenance status, vulnerability history, and community activity of open source components, letting you make informed decisions.
3
Implement repository and CI/CD controls to block unacceptable licenses, outdated versions, and components with known security risks. Look for solutions that adhere to signing and attestations, SLSA certifications and OpenSSF Scorecard. This ensures you can define and automatically enforce these policies, which prevents attacks and minimizes the threat of risky components in your software supply chain.
4
Continuously monitor first and third party components for newly disclosed security defects. Look at the quality of the metadata. Does it provide actionable information? There needs to be a way to link from the security threat to the entities within the software supply chain ecosystem. Use tools that integrate with leading vulnerability databases and generate automated alerts when new risks are detected, allowing for rapid patching.
5
Prioritize upgrading third party dependencies based on the severity of vulnerabilities and their reachability within your environment. Checking for known vulnerabilities and security threats becomes a critical aspect of risk management. Examples include supply chain security compromises (Solarwinds), malware (colors.js), and data breaches (haveibeenpwned.com). Since they are public, there’s a higher likelihood of exploitation, and thus, there’s a greater level of urgency that they be addressed. Impact analysis capabilities are the new table stakes to understand which weaknesses pose the greatest risk to your specific applications, so you can focus remediation efforts where they matter most.
What about AI?
In AI, issues and threats usually manifest themselves in data rather than code. AI code generally is quite static – a strategy to move parameters towards achieving a high valuation function. However, the parameters that end up encoding these models are what ultimately determines the behavior of the model. You wouldn’t turn over your strategic decisions to an AI model. Hopefully, you wouldn’t turn over your tactical decisions, either. If you let an unsupervised model decide which versions of which libraries to include in your software supply chain, you will end up with unpleasant—and expensive—surprises.
“Unsupervised” is the operative word. Where AI shines is as an augment to human capabilities, not a replacement. The human brain is excellent at pattern recognition, but computers can work with much larger data sets and more quickly. They also have more reliable memory. Given some history, an AI model can alert humans to potential issues earlier and suggest likely actions. The computer is not deciding what to do, but giving the human a head start on the process.
The practice of SSCS represents a profound mindset shift from reactively patching opaque third party risks to proactively governing what's permitted into your software supply chain.
Kusari Answers the Call
Kusari empowers you to make this shift by providing visibility, controls, and actionable intelligence.
Start with SBOM management, then move quickly to meaningful visibility and risk assessment by correlating and prioritizing threats in your software ecosystem. Share data with stakeholders–security teams, developers, legal, compliance, finance and others–so you can better align and make decisions more efficiently.
About Kusari
Kusari was founded by three cybersecurity experts on a mission to bring transparency and security to the software supply chain. Backed by J2 Ventures, Glasswing Ventures, and Unusual Ventures, we help enterprises understand and secure their complex software supply chains, from code to cloud.
Kusari delivers complete visibility into all components of the supply chain and context for how they interact. Developers can pinpoint and respond to threats efficiently; security teams gain a single source of truth to manage risk.
An advocate of open source, Kusari is a creator and maintainer of the OpenSSF’s GUAC project, and our team holds positions of influence in the open source software (OSS) community.
Want to learn more?
Take these next steps:
